X €120 Million DSA Fine 2026: Ad Repository Transparency Failures and Advertiser Implications

The First DSA Non-Compliance Fine

On 5 December 2025 the European Commission issued a €120 million fine against X — the first non-compliance decision under the Digital Services Act (DSA). This matters to advertisers far beyond X itself, because the Commission did not penalize a single piece of content. It penalized the transparency infrastructure around advertising and platform identity: the ad repository, the paid verification system, and the researcher data access regime.

For media buyers, the lesson is structural. The DSA's enforcement priority is not the individual ad creative but whether the platform can show, in a usable public archive, who paid for an ad, what the ad said, and who it targeted. When that archive is deficient, every advertiser running inventory on the platform inherits a transparency exposure they did not create and cannot fix from the ad account.

"X's advertisement repository is not fit for purpose: it lacks the content and topic of advertisements and the legal entity paying for them, and it incorporates design features and access barriers that undermine the repository's purpose.
— European Commission, DSA non-compliance decision, 5 December 2025"

This guide breaks down what the decision actually found, why the ad repository failure is the advertiser's problem and not only the platform's, and the concrete steps to take before continuing to buy X inventory in 2026.

What the December 2025 Decision Found

The Commission's decision identified three distinct breach categories. Each maps to a different DSA transparency obligation, and each carries a different implication for advertisers. The table summarizes the findings as published.

The fine amount was calculated on the nature and gravity of the infringements, the number of affected EU users, and the duration of the conduct. The Commission framed the ad repository deficiency as undermining the ability of the public, regulators, and researchers to scrutinize advertising — which is precisely the function advertisers depend on to demonstrate their own compliance. Track subsequent enforcement and remediation milestones through the policy tracker and review the broader framework in the EU DSA compliance overview.

Why the Ad Repository Failure Matters to Advertisers

Under the DSA, every Very Large Online Platform must maintain a public ad repository containing, for each ad, the content of the advertisement, the natural or legal person on whose behalf it was presented, who paid for it, the period of display, the targeting parameters used, and the total reach. This is not a courtesy archive — it is the evidentiary backbone that lets a regulator, a journalist, or a competitor reconstruct exactly what an advertiser ran and to whom.

The Commission found X's repository missing the advertiser legal entity, the ad content and topic, and adequate searchability, with processing delays that frustrated access. For an advertiser, this produces a counterintuitive exposure: a deficient repository is not a benefit. If your campaign is later questioned — by a regulator, an NGO, or in litigation — the platform-side archive is the primary record of what you ran. A repository that is incomplete or unsearchable does not protect the advertiser; it removes the advertiser's ability to point to an authoritative, contemporaneous record of compliant disclosure and targeting.

• Maintain an independent ad archive: retain creative, targeting parameters, payer entity, flight dates, and approvals for every X campaign — do not rely on the platform repository as your system of record.
• Verify payer attribution: confirm the legal entity shown as the payer in any available repository entry matches the entity that should appear, especially where agencies or resellers are intermediaries.
• Document political and issue ads separately: these carry heightened DSA transparency obligations and are the highest-scrutiny category in a deficient-repository environment.

Map the disclosure and record-keeping obligations across jurisdictions with the legal compliance scan, and pre-check campaign copy and claims with the AI compliance audit before spend so the independent archive contains compliant assets.

Deceptive Verification and Brand-Safety Exposure

The Commission's finding that paid verification is granted "without the company meaningfully verifying who is behind the account" has a direct brand-safety consequence. A large share of media-buying brand-safety and influencer-vetting workflows historically treated a verification badge as a lightweight authenticity proxy. The decision formally invalidates that assumption on this platform: a verified badge does not establish that the account is who it claims to be.

This changes two operational practices. First, influencer and partnership vetting on X cannot rely on the badge as an identity signal — independent verification of the entity, ownership, and history is required before a paid relationship. Second, adjacency risk increases: impersonation and inauthentic accounts that carry a paid badge can sit next to brand inventory while presenting a false credibility cue to the same audience seeing the ad. Treat the badge as a paid feature, not an identity attestation, and document the independent verification performed for any creator or partner relationship.

"Verification on a platform is a trust signal only to the extent the platform actually verifies identity. Where it does not, advertisers must replace the badge with their own due-diligence record — the badge is now a liability shortcut, not evidence.
— AuditSocials Research"

For creator partnerships, run disclosure and relationship documentation through the disclosure checker and align platform-specific rules with the X ads policy guide.

Researcher Data Access and Systemic-Risk Visibility

The third breach — blocking vetted researcher access through terms of service and procedural barriers — looks remote from media buying but is not. Researcher access under the DSA is the mechanism by which systemic risks such as coordinated inauthentic behavior, illegal-content amplification, and ad-adjacency to harmful material are independently measured. When that access is obstructed, advertisers lose an external check on the environment their ads run in.

In practical terms, a brand cannot outsource its adjacency monitoring to "the research community will catch it." With independent visibility reduced, the burden shifts back to the advertiser's own brand-safety tooling, inclusion and exclusion lists, and post-campaign placement audits. The defensible posture is to assume less external transparency, not more, and to compensate with stricter first-party controls and continuous monitoring rather than periodic spot checks.

• Tighten inventory controls: prefer inclusion lists and topic exclusions over broad reach when external transparency is constrained.
• Increase placement-audit cadence: move from quarterly to continuous adjacency review for sensitive categories.
• Escalate political and crisis periods: apply heightened controls during elections and high-risk news cycles where amplification risk peaks.

Advertiser Playbook for X Inventory in 2026

The decision does not require advertisers to leave X. It requires them to stop treating the platform's transparency infrastructure as a substitute for their own. The playbook below is the defensible operating posture for buying X inventory while the remediation obligations are outstanding.

• Own the system of record: maintain a complete, independent archive of every X campaign — creative, payer entity, targeting, flight dates, approvals — regardless of repository state.
• Re-baseline verification: remove the verified badge from vetting criteria; require independent identity and ownership checks for creators and partners.
• Strengthen adjacency controls: shift to inclusion-led buying and continuous placement audits given reduced external research visibility.
• Escalate political/issue ads: apply the heightened-disclosure track and document targeting and payer attribution explicitly.
• Monitor remediation status: the Commission's decision triggers an action-plan and remediation process — track milestones and reassess inventory posture as they resolve through the policy tracker.
• Pre-flight every flight: validate copy, claims, and disclosures with the AI compliance audit so archived assets are defensible on their own.

The asymmetry is the same one that governs all transparency compliance: maintaining an independent record costs operational hours, while being unable to evidence what you ran on a platform whose own archive a regulator has formally found inadequate is an open-ended exposure.

X Advertiser Compliance Checklist

• [ ] Independent archive maintained for every X campaign (creative, payer, targeting, dates, approvals)
• [ ] Payer legal entity verified against intended entity, including agency/reseller chains
• [ ] Verified badge removed from creator/partner vetting criteria
• [ ] Independent identity and ownership checks documented for all paid relationships
• [ ] Inclusion-led buying and continuous adjacency audits in place
• [ ] Political/issue ads on heightened-disclosure track with targeting documented
• [ ] Remediation milestones monitored and inventory posture reassessed on changes
• [ ] Every flight pre-flighted for copy, claims, and disclosure compliance